Snort mailing list archives

Snort and Banyard2 no data in logs.

From: Salvo <ilasa01 () linux rokeby com>
Date: Thu, 24 Oct 2013 16:56:43 +0100

Hello Members,

I am not a Snort expert and trying to set up a working configuration.
The problem which I experience is that snort logs are empty. This is
what I have configured starting from the basics.
*
Network configuration:*

Server has two NICs. One is in the DMZ, the second is in the green zone.
Snort is configured for the NIC in the DMZ only, from where the external
traffic arrives.

*SNORT

*- snort-2.9.5.5;
- snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

- snort.conf
ipvar HOME_NET 10.X.X.X/24
ipvar EXTERNAL_NET any
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET
ipvar FTP_SERVERS $HOME_NET
ipvar SIP_SERVERS $HOME_NET
.
.
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
.
.
config event_queue: max_queue 8 log 5 order_events content_length
.
output unified2: filename snort.log, limit 128

- Snort status
root     15999     1  0 11:34 ?        00:00:08 snort -i eth0 -c
/etc/snort.conf -l /var/log/snort -v

- Snort troubleshooting
When snort runs, I see packets flow in my console. No errors in the
server messages file. Snort creates  "snort.log.138670864" file in the
log directory, but it remains empty.

*Barnyard2 *

- barnyard2-1.9
- barnyard2.conf
config logdir: /var/log/snort
config hostname:      localhost
config interface:       eth0
config alert_with_interface_name
config set_gid: XXXXX ----> this is the snort user GID;
config set_uid: XXXXX ----> this is the snort user UID;
config waldo_file: /var/log/snort/barnyard2.waldo
config umask: 066
config verbose
config reference_net: 10.X.X.X/24
output alert_fast: stdout
output alert_syslog
output alert_syslog: host=XXX.XXX.XXX.XXX
output alert_syslog: host=server.domain.com:123
output database: log, mysql, user=snort_user password=snort_password
dbname=snortdb host=servername

-Barnyard status

snort     35xx6     1  0 16:07 ?        00:00:00 ./barnyard2 -c
/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo -D

- Barnyard troubleshooting
the following status is logged in the messages file when barnyard starts
with the following command:
./barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
-w /var/log/snort/barnyard2.waldo -D
========================================

barnyard2[17xx]:
===============================================================================
Oct 24 16:07:23 server barnyard2[17xxx]: Record Totals:
Oct 24 16:07:23 server barnyard2[17xxx]:    Records:            0
Oct 24 16:07:23 server barnyard2[17xxx]:     Events:            0 (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:    Packets:            0 (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:
===============================================================================
Oct 24 16:07:23 server barnyard2[17xxx]: Packet breakdown by protocol
(includes rebuilt packets):
Oct 24 16:07:23 server barnyard2[17xxx]:       ETH: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   ETHdisc: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:      VLAN: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:      IPV6: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   IP6 EXT: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   IP6opts: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   IP6disc: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:       IP4: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   IP4disc: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:     TCP 6: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:     UDP 6: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:     ICMP6: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   ICMP-IP: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:       TCP: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:       UDP: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:      ICMP: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   TCPdisc: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   UDPdisc: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   ICMPdis: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:      FRAG: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:    FRAG 6: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:       ARP: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:     EAPOL: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   ETHLOOP: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:       IPX: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:     OTHER: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:   DISCARD: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]: InvChkSum: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:    S5 G 1: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:    S5 G 2: 0          (0.000%)
Oct 24 16:07:23 server barnyard2[17xxx]:     Total: 0
Oct 24 16:07:23 server barnyard2[17xxx]:
===============================================================================
Oct 24 16:07:46 server barnyard2[35xx]: Running in Continuous mode
Oct 24 16:07:46 server barnyard2[35xx]:
Oct 24 16:07:46 server barnyard2[35xx]:         --== Initializing
Barnyard2 ==--
Oct 24 16:07:46 server barnyard2[35xx]: Initializing Input Plugins!
Oct 24 16:07:46 server barnyard2[35xx]: Initializing Output Plugins!
Oct 24 16:07:46 server barnyard2[35xx]: Parsing config file
"/etc/barnyard2.conf"
Oct 24 16:07:49 server barnyard2[35xx]: Log directory = /var/log/snort
Oct 24 16:07:49 server barnyard2[35xx]: No arguments to alert_syslog
preprocessor!
Oct 24 16:07:49 server snort[35xx]: WARNING => Unrecognized syslog
facility/priority: host=xxx.xxx.xxx.xxx
Oct 24 16:07:49 server snort[35xx]: WARNING => Unrecognized syslog
facility/priority: host=server.domain.com:123
Oct 24 16:07:49 server snort[35xx]: Initializing daemon mode
Oct 24 16:07:49 server snort[35xx]: Daemon initialized, signaled parent
pid: 35xx
Oct 24 16:07:49 server snort[35xx]: PID path stat checked out ok, PID
path set to /var/run/
Oct 24 16:07:49 server snort[35xx]: Writing PID "35xx" to file
"/var/run//barnyard2_eth0.pid"
Oct 24 16:07:49 server snort[35xx]: Node unique name is: server:eth0
Oct 24 16:07:49 server snort[35xx]: Daemon parent exiting
Oct 24 16:07:49 server snort[35xx]: database: compiled support for (mysql)
Oct 24 16:07:49 server snort[35xx]: database: configured to use mysql
Oct 24 16:07:49 server snort[35xx]: database: schema version = 107
Oct 24 16:07:49 server snort[35xx]: database:           host = server
Oct 24 16:07:49 server snort[35xx]: database:           user = snort_user
Oct 24 16:07:49 server snort[35xx]: database:  database name = snort_db
Oct 24 16:07:49 server snort[35xx]: database:    sensor name = server:eth0
Oct 24 16:07:49 server snort[35xx]: database:      sensor id = 1
Oct 24 16:07:49 server snort[35xx]: database:     sensor cid = 1
Oct 24 16:07:49 server snort[35xx]: database:  data encoding = hex
Oct 24 16:07:49 server snort[35xx]: database:   detail level = full
Oct 24 16:07:49 server snort[35xx]: database:     ignore_bpf = no
Oct 24 16:07:49 server snort[35xx]: database: using the "log" facility
Oct 24 16:07:49 server snort[35xx]:         --== Initialization Complete
==--
Oct 24 16:07:49 server snort[35xx]: Barnyard2 initialization completed
successfully (pid=35xx)
Oct 24 16:07:49 server snort[35xx]: WARNING: Ignoring corrupt/truncated
waldofile '/var/log/snort/barnyard2.waldo'
Oct 24 16:07:49 server snort[35xx]: Waiting for new spool file

- Log Directory
the snort directory rights are:
drwx------  2 snort snort     4096 Oct 24 11:40 snort

the snort log files are:
-rw-r--r--  1 root  root     0 Oct 24 11:34 alert
-rw-r--r--  1 root  root     0 Oct 24 11:40 barnyard2.waldo
-rw-------  1 root  root     0 Oct 24 11:34 snort.log.138670864

====================================

What I am doing wrong? Any help would be appreciated.

Thanks.
Salvo

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

disabling specific snort rules Roland RoLaNd (Oct 24)
- Re: disabling specific snort rules James Lay (Oct 24)
  - Re: disabling specific snort rules Roland RoLaNd (Oct 24)
    - Snort and Banyard2 no data in logs. Salvo (Oct 24)
    - Re: Snort and Banyard2 no data in logs. waldo kitty (Oct 24)
    - Re: disabling specific snort rules James Lay (Oct 24)
    - Re: disabling specific snort rules JJC (Oct 24)
    - Re: disabling specific snort rules Roland RoLaNd (Oct 27)
    - Re: disabling specific snort rules James Lay (Oct 27)
    - Re: disabling specific snort rules Joel Esler (Oct 27)
    - Re: disabling specific snort rules waldo kitty (Oct 24)